Author Archives: admin

Network Penetration Testing training

Certified Network Penetration Tester

Secured Coding in Java

Advance Python Training

VMware Training

Cybersecurity services that can protect your company:

Certified Ethical Hacker Training in Bangalore

Other Location for Online Courses:

Bhubaneswar

Bangalore

Hyderabad

April 16, 2018
0

Pharos – Automated static analysis tools for binary programs

Category : Blog

Pharos

Pharos is a open source, static binary analysis framework that uses the ROSE compiler, developed by Lawrence Livermore National Laboratory for disassembly, control flow analysis, instruction semantics. These features help you automate common reverse engineering tasks with a focus on malicious code analysis. The Pharos framework is made up of the following static binary analysis tools.

Pharos

Pharos Static Binary Analysis Framework

The Pharos framework is a research project, and the code is undergoing active development. No warranties of fitness for any purpose are provided. While this release provides build instructions, unit tests, and some documentation, much work remains to be done. We’ve tested a few select build configurations, but have not actively tested the portability of the source code. See the installation instructions for more details.

Framework

Pharos Static Binary Analysis Tools

APIAnalyzer: The APIAnalyzer is a signature driven tool for finding sequences of API calls with the specified data and control relationships. This capability is intended to be used to detect common operating system interaction parameters such as opening a file, writing to it, and the closing it.

APIAnalyzer

OOAnalyzer: OOAnalyzer is a tool for the analysis and recovery of object oriented constructs. It helps you identify object members and methods by tracking object pointers between functions in the program. This tool was previously named “Objdigger” and is being redesigned to use XSB Prolog rules to recover the object attributes. Earlier, ObjDigger used definition-use analysis to identify object pointers, known as this pointers. It accumulates context-free facts that are exported to Prolog for higher-level semantic analysis. When a line of reasoning doesn’t work out, Prolog backtracks and searches for a different solution.

OOAnalyzer

CallAnalyzer: Callanalyzer is a tool for reporting the static parameters to API calls in a binary program. It is largely a demonstration of our current calling convention, parameter analysis, and type detection capabilities, although it also provides useful analysis of the code in a program.

CallAnalyzer

FN2Yara: FN2Yara is a tool to generate YARA signatures for matching functions in an executable program. Programs that share significant numbers of functions are are likely to have behavior in common.

FN2Yara

FN2Hash: FN2Hash is tool for generating a variety of hashes and other descriptive properties for functions in an executable program. Like FN2Yara it can be used to support binary similarity analysis, or provide features for machine learning algorithm.

FN2Hash

DumpMASM: DumpMASM is a tool for dumping dis-assembly listings from an executable using the Pharos framework in the same style as the other tools. It has not been actively maintained, and you should consider using ROSE’s standard recursiveDisassemble instead.

DumpMASM

PyObjDigger: PyObjDigger is included as a plugin for the IDA Pro Dis-assembler (located at tools/objdigger/ida) to allow you to ingest, view, and modify ObjDigger results directly into IDA Pro. One of the most useful PyObjdigger features is its ability to annotate virtual function calls with clickable labels.

PyObjDigger

Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Certification – C|EH v10

Network Penetration Testing training

Certified Network Penetration Tester

Secured Coding in Java

Advance Python Training

VMware Training

Cybersecurity services that can protect your company:

Other Location for Online Courses:

Bangalore

Bhubaneswar

April 13, 2018
0

Danger of Using Public WiFi | What You Need to Know – ICSS

Category : Blog

Danger of Using Public WiFi

WiFi users are at risk from hackers, but fortunately there are safeguards against them. The recent explosion of free, public WiFi has been an enormous boon for working professionals. Since these free access points are available at restaurants, hotels, airports, bookstores, and even random retail outlets, you are rarely more than a short trip away from access to your network, and your work. This freedom comes at a price, though, and few truly understand the public WiFi risks associated with these connections.

Along with convenience for the public, public WiFi hotspots can also provide an easy way for identity thieves and cybercriminals to monitor what you’re doing online and to steal your passwords, your personal information, or both. Never assume that a public WiFi network is safe or secure. Remember, these passwords are shared, so anyone nearby can easily hop onto the network and see what you’re doing.

Tips & Advice:

Risks of Using Public WiFi:

Today many, if not most, people carry some form of Internet-enabled device with them, whether it is a phone, laptop, tablet or some other technology. To get online, and avoid extra expenses by using a cellular connection, However, there are many potential risks involved in using public Wi-Fi. Users are often not aware of exactly whose network they are joining, what data they are sharing or how they may be subject to a cyber attack.

Whose network you are joining?

Anyone can set up a wireless hotspot and name it as they wish. By setting their own network name (Service Set Identifier or SSID) to a common or commercially used SSID, someone running a rogue hotspot can attract connections from users who think they are joining a legitimate network. Some devices will automatically join networks with familiar SSIDs.

Which networks are safe

It is safest to assume that no public WiFi is secure. Airports are particularly risky locations due to the high concentration of targets that may not have access to a domestic cellular network and may have an urgent need to get online. Need often outweighs any perceived risk.

What are you agreeing to?

If you are asked to accept terms and conditions, ensure you read exactly what you are agreeing to. You may be agreeing to share more with your WiFi supplier than you think.

What data are you sharing?

Any encrypted data sent through a WiFi network can be monitored and collected. You may be potentially giving away information such as passwords, email content and web searches.

Risk & Attacks:

Rogue WiFi Networks:

An attacker set up a honeypot in the form of a free WiFi hotspot in order to harvest valuable data. The attacker’s hotspot becomes the conduit for all data exchanged over the network.

Man-In-The-Middle (MITM) Attacks:

An attacker compromises a WiFi hotspot in order to insert himself into the communications between the victim and the hotspot, to intercept and modify the data in transit.

Packet Sniffing:

An attacker monitors and intercepts unencrypted data as it travels across an unprotected network.

Anyone Can be an Attacker:

The tools required to carry out such an attack can often be easily obtained, therefore an attacker requires little technical experience or skill to carry out his criminal activities.

Data is a Valuable Commodity:

Attackers can monetise many types of stolen data and therefore they seek information such as online banking credentials, Bitcoin wallets and other sensitive data that can be used in identify fraud.

Safety Considerations:

DO’s

Use a virtual private network (VPN) to keep
your data encrypted in transit. They are quick
and easy to use while providing you
with privacy and safety.
Enable your firewall.
Look out for HTTPS in your browser bar – this
indicates that SSL encryption is active and
your communication is more likely to be secure.
Turn off the automatic connection feature within
the Wi-Fi settings to prevent your device from
connecting to public or open Wi-Fi networks
without your consent.
Keep your software patched and updated
Use anti-virus software and ensure it is up-to-date

DONT’s

Assume that a Wi-Fi network with a trustworthy SSID is genuine.
Share sensitive or personal data over a public Wi-Fi network unless you are sure the connection is secure. i.e. encrypted via HTTPS or a VPN.

Most Popular Training Courses at Indian Cyber Security Solutions:

Cybersecurity services that can protect your company:

April 11, 2018
0

Deep-pwning | Metasploit for machine learning

Category : Blog

Deep-pwning

Deep-pwning is a lightweight framework for experimenting with machine learning models with the goal of evaluating their robustness against a motivated adversary.

Note that deep-pwning in its current state is nowhere close to maturity or completion. It is meant to be experimented with, expanded upon, and extended by you. Only then can we help it truly become the goto penetration testing toolkit for statistical machine learning models.

Structure:

Researchers have found that it is surprisingly trivial to trick a machine learning model (classifier, clusterer, regressor etc.) into making an objectively wrong decisions. This field of research is called Adversarial Machine Learning. It is not hyperbole to claim that any motivated attacker can bypass any machine learning system, given enough information and time. However, this issue is often overlooked when architects and engineers design and build machine learning systems. The consequences are worrying when these systems are put into use in critical scenarios, such as in the medical, transportation, financial, or security-related fields.

Hence, when one is evaluating the efficacy of applications using machine learning, their malleability in an adversarial setting should be measured alongside the system’s precision and recall.

This framework is built on top of Tensorflow, and many of the included examples in this repository are modified Tensorflow examples obtained from the Tensorflow GitHub repository.

All of the included examples and code implement deep neural networks, but they can be used to generate adversarial images for similarly tasked classifiers that are not implemented with deep neural networks. This is because of the phenomenon of ‘transferability’ in machine learning, which was Papernot et al. expounded expertly upon in this paper. This means that adversarial samples crafted with a DNN model A may be able to fool another distinctly structured DNN model B, as well as some other SVM model C.

Components:

Deep-pwning is modularized into several components to minimize code repetition. Because of the vastly different nature of potential classification tasks, the current iteration of the code is optimized for classifying images and phrases (using word vectors).

These are the code modules that make up the current iteration of Deep-pwning:

DriversThe drivers are the main execution point of the code. This is where you can tie the different modules and components together, and where you can inject more customizations into the adversarial generation processes.
Models is where the actual machine learning model implementations are located. For example, the provided lenet5 model definition is located in the model() function within lenet5.py.

Most Popular Training Courses at Indian Cyber Security Solutions:

Cybersecurity services that can protect your company:

April 9, 2018
0

Malware | Trojans & Keyloggers | ICSS Student |Gopal Roy

Category : Blog

Malware

Malware means malicious software.in fact, it has been a problem for ages.it is basically a program designed to infect a computer without the owner’s knowledge.

Type of Malware

Malware exists in Manu forms. Some common types of malware that one needs to keep track of are:

Trojan Horse-Trojan virus or Trojan horse is a common type of malware.it is mostly used to control the victimized computer rather than infect or destroy files on it.A Trojan, horse once installed into the victim’s system, can give the hacker complete access to the victim’s computer Trojan are of the most dangerous forms of malware.

2. Computer Virus-A computer virus is a malicious program, which is mostly developed to infect a computer once it infects a computer, it replicates itself, A virus needs another host on which it can get attached in order to infect a computer.

3. Worms- Worms are almost similar to computer viruses. The only difference is that a computer virus does not require another host to attach to in order to infect a computer. Once a worm infects a computer.it replicates itself. Computer worms are major threats to large networks.

4. Keyloggers- It is a hardware or software device, which monitors every keystroke, screenshots,chats,etc ,typed on a computer . A key logger program does not require physical access to the user’s computer. Any person whit basic knowledge of computer can use a key logger.

5. Adware- Adware stands for Advertisement-supported Software. Adware is commonly designed to display Advertisement on a computer .However, some adware may contain harmful viruses and spying programs, which can harm the computer system.

After understanding malwares, their types and their function, learn about keyloggers in detail.

Keyloggers:

Keyloggers are of two Types:

Hardware Keyogger
Software Keyogger

Hardware keylogger IS USED FOR keyloggers loggers. A hardware keylogger is plugged between the keyoggers plug and the USB or PS/2 port socket, and it works with PS/2 keylogger and USB Keyboards looks similar to a normal USB drive or any other computer peripheral. Due to this, the victims can never about that is a keyogger. Hardware keyogger has inbuilt memory. Which stores the typed keylogger.

1.Hardware keyloggers

2. ps/2 keylogger

3. Usb keylogger

Keygrabber – Best Hardware Keylogger

Keygrabber is one of the best and most popular hardware keyloggers across the globe. The is primarily because of its large storage capacity. Keygrabber keystroke recorder comes in a standard version-4MB memory capacity, 2,000,000 keystrokes(over 1,000 pages of text), and a Venom version 2 billion keystrokes (over 1 million pages of text), organized into an advance flash FAT file system. It is compatible with all the three operating systems,i.e., windows, Linux and Mac OS.

Features of hardware keylogger:

*Observer www.e-mail and chat usage by children and employees

*Monitors employee productivity

*Protects children from online hazards and predators

*saves a copy of the typed text

*Records all keystrokes-even Facebook Password

*Huge memory capacity, organized as an advance flash FAT system

Software Keyloggers:

The hardware keylogger is useful only if you have physical access to the victim’s computer However, if you don’t and if by any chance the victim notices it and knows about your intention, It is only then that the software keylogger come into the picture.

Software keylogger can also be classified into two types:

*Local Keylogger

*Remote keylogger

Local keylogger: They are used to monitor local computer(even your own PC).They are easy to install and are completely undetectable.However,once installed in the computer, they become

Really difficulty to find them. This is because the keylogger hide themselves from the Task manager. Windows registry,etc.

Whenever you want to see logs, screenshot,etc,press a short key (example,ship+ctrl+f10)

There are hundreds of keyloggers available nowadays.However,some of them are user-friendly and actually capable of hiding themselves once they are installed.

Some popular local keyloggers are:

Spy Agent
Refog Keylogger

Spy Aggent:

Spy Agent is an award-winning software, which is used to monitor both local and remote computers. It invisible monitors all computer usage and internet activities.spyAgent’s logging capabilities are unmatched. Spy agent can log anything from what the users type, to the files they print and programs they run-all time stamped by date for easy viewing .ALL logs are easily saved and exported for later use.spyagent can be confifured to log all users on you computer with ease.spyagent monitors and log both sides of all chat conversations made on chat clients (supported clients include the latest versions of AOL,AOL instant Messnger,MSN Messenger,ICQ pro and ICQ Lite).

Spy Agent keylogger:

Features of spy agent keylogger

It records:

*Keystroke monitoring

*Internet Connections

*Internet Conversations

*Website activate

*E-mail sent and received

*File/documents accessed and printed

*Windows activate

*Application usage

*Screenshot capturing

*Clipboard logging

*Events logging

*Activity logging

Refog is extremely powerful and has very low antivirus detection rete. It is one of the leading remote passwords hacking software combined whit Remote Install and Remote Viewing features. Once installed on the remote PC (s),the user only needs to login to his/her personal Refog account to view activity logs of the remote PC.This means that the user can view logs of the remote PC from any where in the would, as long as he/she has Internet access.

Features of Refog Keylogger are as follows:

Keystroke recording: Once installed and running. Refog registers all keys pressed by the user, thus action as a keylogger. This function captures all data that has been entered using the keyboard, including chats, username,password,e-mail, search queries and other content. In addition to key logging, refuge is also enabled to log clipboard text.
Web History Logging: Even If users delete their prowler history, the information is retained in refog’s log database, and is always available via the reports function. All relevant information can be collected including URLs visited page titles, etc.
Application monitoring: since Refog can record all programs executed on a PC, it is hence possible to establish if a child is playing game instead of doing homework, an employee is wasting time logs etc sitting in any part of the world.

You can find tons of Remote keyloggers on web but lots of them are either not capable of properly recording keystrokes or they have a high antivirus detection rete.one keylogger worth the price is win spy.

Remote Keylogger:

Remote keylogger are used for the purpose of monitoring a remote pc, once a remote keylogger is installed on your computer the attacker can get your keystrokes, your webcam shots, chat logs etc sitting in any part of the world.

You can find tons of Remote keylogger on web but lots of them are either not capable of properly recording keystrokes or they have a high antivirus detection rate. One keylogger worth the price is win Spy.

Winspy Keylogger:

WinSpy Software is a complete stealth Monitoring software that both monitor your Local PC and remote PC.It includes remote install and real-time remote PC viewer. Win spy software will capture anything the user sees or type the keyboard.

Features:

*Remote Screen Capture

*Remote Monitoring

*Remote PC Browser

*Notify’s User Online

*Remote Sound Listening/Recording

*Remote Camera view/Recording

*Remote File Launch

*Dualside Chat Recording

*Remote shutdown

*Remote FTP

*Webcam-motion Detect

*WebAccess Remote PC

*SMS Intruder Alert

*Works behind Firewall

RAT (TROJANS):

Rat or ‘Remote Administration Tool’s is one of the most dangerous types of malware. It is very similar to a Trojan. Once a RAT is installed in a computer, the attacker can do almost anything on the remote computer, such as installing a keylogger, shutting down the computer, infecting files, uploading & downloading files, etc If this is successful, the Trojan can operate with increased privileges, and go about installing other malicious codes. If the user has administrative access to the operating system, the Trojan can do anything that an administrator can.

A Compromise on any system on a network may have consequences for other system on the network. Particularly vulnerable are system that transmit authentication material, such as passwords, overshared networks in clear text or in a trivially encrypted from, which very common. If a system on such a network is compromised via a Trojan (or another method), the intruder may be able to record usernames and password or other sensitive information as if navigates through the network.

Some common types of RATS are:

*ProRat

*Lost Door

FUNCEHION:

Trojan work similar to the client-server model. Trojan come in two parts, Client and server part. The attacker deploys the Client to connect to the server, which runs on the remote machine when the remote user(unknowingly) executes the Trojan on the machine. The typical protocol user by most Trojan is the TCP?IP protocol;however,some functions of the Trojans may mark use of the UDP protocol as well.

When the server is activated on the remote computer, it will try remain in a stealth mode or simply stay hidden, This is configurable, for example, in the Back Orifice Trojan, the server can be configured to remain in stealth mode and hide its processes.Onec activated, the server starts to listen on default or configured ports for incoming connections from the attacker.it is usual for Trojan to also modify the registry and/or use some other auto-starting methods.

Most Trojan use auto-starting methods so that server are restarted every time the remote machine reboots/starts, which in turn also notifies the attacker. As these features are being countered, new auto-starting methods are evoling.The Startup method ranger from associating the Trojan whit certain common executable files such as exploere.exe to the known methods such as modifying the system files or the Windows Registry. Some of the Popular system files targeted by Trojan are Auto start Folder, Win.ini,system.ini,wininit.ini,winstart.bat,Autoexec.bat ,Config.sys

Now, after getting the clear idea about RATS (TROJANS),let us see as to how we can even use Trojan to hack into a system.

ProRat:

ProRat is a powerful remote administrator tool ( RAT ) based on backdoor Trojan . It opens a port on the infected system , which allows the client to perform various operations on the infected computer . ProRat cannot to users over the WANs ( Wide Area Networks ) . It can connect only over LANs ( Local Area Networks ) . However , once ProRat is installed , almost impossible to remove it without up – to date antivirus software .

The following procedure is usually followed by a hacker to take control of the victim ‘ s computer using ProRat . it also dis cusses some of the author is using functions , which can be performed with the help of this Trojan . Here the author is using the term `you ‘ to the hacker .

Most Popular Training Courses at Indian Cyber Security Solutions:

Cybersecurity services that can protect your company:

April 6, 2018
0

Pentmenu: a bash script for recon and DOS attacks

Category : Blog

Pentmenu

Pentmenu is a bash script inspired by pentbox. It is designed to be a simple way to implement various network pentesting functions, including network attacks, using wherever possible readily available software commonly installed on most Linux distributions without having to resort to multiple specialist tools.

Requirements for Pentmenu:

bash
sudo
curl
netcat (must support ‘-k’ option, openbsd variant recommended)
hping3 (or nping can be used as a substitute for flood attacks)
openssl
stunnel
nmap
whois (not essential but preferred)
nslookup (or ‘host’)
ike-scan

Module detail:

Recon Modules:

Show IP – uses curl to perform a lookup of your external IP. Runs ip a or ifconfig (as appropriate) to show local interface IP’s.

DNS Recon – passive recon, performs a DNS lookup (forward or reverse as appropriate for target input) and a whois lookup of the target. If whois is not available it will perform a lookup against ipinfo.io (only works for IP’s, not hostnames).

Dos Modules:

ICMP Echo Flood – uses hping3 to launch a traditional ICMP Echo flood against the target. On a modern system you are unlikely to achieve much, but it is seful to test against firewalls to observe their behaviour. Use ‘Ctrl C’ to end the flood. The source address of flood packets is configurable.
ICMP Blacknurse Flood – uses hping to launch an ICMP flood against the target. ICMP packets are of type “Destination Unreachable, Port Unreachable”. This attack can cause high CPU usage on many systems. Use ‘Ctrl C’ to end the attack. See http://blacknurse.dk/ for more information. The source address of flood packets is configurable.

Extraction Modules:

Send File – This module uses netcat to send data with TCP or UDP. It can be extremely useful for extracting data. An md5 and sha512 checksum is calculated and displayed prior to sending the file. The file can be sent to a server of your choice; the Listener is designed to receive these files.

Listener – uses netcat to open a listener on a configurable TCP or UDP port. This can be useful for testing syslog connectivity, receive files or checking for active scanning on the network.

Most Popular Training Courses at Indian Cyber Security Solutions:

Cybersecurity services that can protect your company:

April 5, 2018
0

AWS S3 Security Scanning Tool | AWSBucketDump

Category : Blog

AWS

AWS launched in 2006 from the internal infrastructure that Amazon.com built to handle its online retail operations. AWS was one of the first companies to introduce a pay-as-you-go cloud computing model that scales to provide users with compute, storage or throughput as needed.

Amazon Web Services provides services from dozens of data centers spread across availability zones (AZs) in regions across the world. An AZ represents a location that typically contains multiple physical data centers, while a region is a collection of AZs in geographic proximity connected by low-latency network links. An AWS customer can spin up virtual machines (VMs) and replicate data in different AZs to achieve a highly reliable infrastructure that is resistant to failures of individual servers or an entire data center.

AWSBucketDump

AWSBucketDump is an AWS S3 Security Tool, which allows you to quickly enumerate AWS S3 buckets to look for interesting or confidential files. It’s similar to a subdomain brute-forcing tool but is made specifically for S3 buckets and also has some extra features that allow you to grep for delicious files as well as download interesting files if you’re not afraid to quickly fill up your hard drive.

This is a tool that enumerates Amazon S3 buckets and looks for interesting files.

How To Fix AWS

AWS Simple Storage Service (often shortened to S3) is used by companies that don’t want to build and maintain their own storage repositories. By using Amazon Simple Storage Service, they can store objects and files on a virtual server instead of on physical racks – in simple terms, the service is basically “A Dropbox for IT and Tech teams”. After the user has created their bucket, they can start storing their source code, certificates, passwords, content, databases and other data. While AWS promise safely stored data and secure up-and downloads, the security community has for a long time pointed out severe misconfigurations.

AWSBucketDump S3 Security Tool Requirements :

Non-Standard Python Libraries:

xmltodict
requests
argparse
Created with Python 3.6

Usage:

usage: AWSBucketDump.py [-h] [-D] [-t THREADS] -l HOSTLIST [-g GREPWORDS] [-m MAXSIZE]

optional arguments:

-h, –help show this help message and exit

-D Download files. This requires significant diskspace

-d If set to 1 or True, create directories for each host w/ results

-t THREADS number of threads

-l HOSTLIST

-g GREPWORDS Provide a wordlist to grep for

-m MAXSIZE Maximum file size to download.

python AWSBucketDump.py -l BucketNames.txt -g interesting_Keywords.txt -D -m 500000 -d 1

Most Popular Training Courses at Indian Cyber Security Solutions:

Cybersecurity services that can protect your company:

April 3, 2018
0

Sandiflux: Another botnet using Fast Flux technology has emerged

Category : Blog

SandiFlux

SandiFlux is a new Fast flux infrastructure has been identified. Hackers started using Fast Flux infrastructure in wild to hide the malicious activities such as malware and phishing campaigns.

Fast Flux is a technique to have multiple IP addresses assigned to the same domain and they change consistently in quick sessions through DNS records.

Security researchers from Proofpoint identified a new Fast Flux infrastructure dubbed as SandiFlux used to distribute malware and it is acting as a proxy for Grand crab ransomware.

Starting from December researchers observed new fast flux domain nodes and they decided to monitor separately along with some events from the dark cloud. Also, threat actors moved from DarkCloud to Sandiflux.

Proofpoint said that their findings come from long-term observations of the DarkCloud botnet. DarkCloud has been using Fastflux technology since 2014. Most infected computers that makeup Dark Cloud are concentrated in Ukraine and Russia (77.4% and 14.5%, respectively).

Unlike DarkCloud, SandiFlux nodes are concentrated in Romania and Bulgaria (46.4% and 21.3%, respectively), but also a small number of other areas, such as Europe, Africa, the Middle East and southern Asia.

Similar services as SandiFlux:

Similar services are offered by operators Dark Cloud, also Fluxxy, a multi-purpose botnet, whose activities in Proofpoint have been monitored since 2014. This infrastructure allows you to quickly and automatically change IP addresses, domains and even DNS servers to extend the life of fraudulent sites, malicious sites and C & C servers .

Dark Cloud is widely used by carders , exploit-pack operators , authors of malvertising-campaigns, spammers, phishers, herdsmen and malware operators – for example, downhiller Furtim, also SFG .

Now, according to Proofpoint, some of these intruders began to migrate to SandiFlux. So, in February a new opportunity was tested by the distributor zloader – the author of malicious campaigns, which the researchers conventionally call TA547. In November, this attacker, according to observations, used the infrastructure of Dark Cloud.

Conclusion:

Fast Flux DNS has proved to be a powerful tool for threat actors looking to hide dark web sites, malicious infrastructure, and other web-based operations from researchers and law enforcement. While DarkCloud/Fluxxy is the best documented, a new Fast Flux botnet has emerged with nodes of compromised hosts distributed much more widely. It is likely that both DarkCloud and SandiFlux are operated by the same actor who rents capabilities to other actors. GandCrab ransomware in particular now has its command and control proxied behind SandiFlux, although a number of other actors we track are making use of the infrastructure to mass their operations. While direct effects on compromised hosts include performance and bandwidth degradation, the more significant global impact is increased capacity for providing Fast Flux DNS to threat actors.

Most Popular Training Courses at Indian Cyber Security Solutions:

Cybersecurity services that can protect your company:

April 2, 2018
0

Streamalert: Serverless, Realtime Data Analysis Framework

Category : Blog

Streamalert

StreamAlert is a serverless, real-time data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using datasources and alerting logic you define. A serverless framework for real-time data analysis and alerting.

Airbnb needed a product that empowered both engineers and administrators to ingest, analyze, and alert on data in real-time from their respective environments.

Features of Streamalert:

Deployment is automated: simple, safe and repeatable for any AWS account
Easily scalable from megabytes to terabytes per day
Infrastructure maintenance is minimal, no devops expertise required
Infrastructure security is a default, no security expertise required
Supports data from different environments (ex: IT, PCI, Engineering)
Supports data from different environment types (ex: Cloud, Datacenter, Office)
Supports different types of data (ex: JSON, CSV, Key-Value, or Syslog)
Supports different use-cases like security, infrastructure, compliance and more

Benefits:

As partially outlined above, StreamAlert has some unique benefits:

Serverless — StreamAlert utilizes AWS Lambda, which means you don’t have to manage, patch or harden any new servers
Scalable — StreamAlert utilizes AWS Kinesis Streams, which will “scale from megabytes to terabytes per hour and from thousands to millions of PUT records per second”
Automated — StreamAlert utilizes Terraform, which means infrastructure and supporting services are represented as code and deployed via automation
Secure — StreamAlert uses secure transport (TLS), performs data analysis in a container/sandbox, segments data per your defined environments, and uses role-based access control (RBAC)
Open Source — Anyone can use or contribute to StreamAlert

StreamAlert utilizes the following services:

AWS Kinesis Streams — Datastream; AWS Lambda polls this stream (stream-based model)
AWS Kinesis Firehose — Loads streaming data into S3 long-term data storage
AWS Lambda (Python) — Data analysis and alerting
AWS SNS — Alert queue
AWS S3 — Optional datasources, long-term data storage, & long-term alert storage
AWS Cloudwatch — Infrastructure metrics
AWS KMS — Encryption and decryption of application secrets
AWS IAM — Role-based Access Control (RBAC)

If you’re not an AWS customer, StreamAlert can support data such as:

Host Logs (e.g. Syslog, osquery, auditd)
Network Logs (e.g. Palo Alto Networks, Cisco)
Web Application Logs (e.g. Apache, nginx)
SaaS providers (e.g. Box, OneLogin)

It should be noted that StreamAlert is not intended for analytics, metrics or time series use-cases. There are many great open source and commercial offerings in this space, including but not limited to Prometheus, DataDog and NewRelic.

Concluding Thoughts:

Open source has allowed us as a community, to both share, collaborate, and iterate on common needs and goals. Now with the ability to represent infrastructure as code, this goal can be further realized with reduced costs for both development and deployment.

We hope StreamAlert serves as an example of this, making deployment simple, repeatable and safe so that anyone can use it easily.

Most Popular Training Courses at Indian Cyber Security Solutions:

Cybersecurity services that can protect your company: